Public bug reported: I have setup a keystone service(Mitaka) on ubuntu, and it seems that the first call will always be to keystone's public api url, when you have set "public_endpoint" in keystone.conf.
For example, when I do the following openstack commands, I always get the following error. $ubuntu@client:~$ openstack token issue Unable to establish connection to http://10.12.2.2:5000/fuga/v3/auth/tokens The keystone's endpoint are like this: public: http://10.12.2.2:5000/fuga/v3 admin: http://10.12.1.2:35357/fuga/v3 internal: http://10.12.3.2:5000/fuga/v3 openstack client is installed in a client node, which is seperate to keystone node, and this client node has no network access to public api network. So if accessing to public api, this is expected, but I have set the env variables like this, ubuntu@client:~$ env | grep OS_ OS_USER_DOMAIN_NAME=default OS_PROJECT_NAME=admin OS_IDENTITY_API_VERSION=3 OS_PASSWORD=openstack OS_AUTH_URL=http://10.12.1.2:35357/fuga/v3 OS_USERNAME=admin OS_INTERFACE=admin OS_PROJECT_DOMAIN_NAME=default Therefore, my expectation is that api access goes only through admin url. I have tried also with internal api url, but get the same error. And of course if the client node has public api network access, the openstack client worked perfectly. Also, if you just not use the special path for api urls, so by not setting "public_api", it will also work perfectly. According to this: https://github.com/openstack/keystone/blob/stable/mitaka/keystone/version/service.py#L160 "public" string is given, and here: https://github.com/openstack/keystone/blob/stable/mitaka/keystone/common/wsgi.py#L372 the string is being combined with "_endpoint", which will become "public_endpoint", and if the url is set, this public url will be the initial access. I have attached some info, - /etc/keystone/keystone.conf - /etc/apache2/sites-enabled/wsgi-keystone.conf - output with debug option ** Affects: keystone Importance: Undecided Status: New ** Attachment added: "debugoutput-openstackclient.txt" https://bugs.launchpad.net/bugs/1661503/+attachment/4812390/+files/debugoutput-openstackclient.txt -- You received this bug notification because you are a member of Yahoo! Engineering Team, which is subscribed to OpenStack Identity (keystone). https://bugs.launchpad.net/bugs/1661503 Title: If public_endpoint is set, the first call will be always public endpoint Status in OpenStack Identity (keystone): New Bug description: I have setup a keystone service(Mitaka) on ubuntu, and it seems that the first call will always be to keystone's public api url, when you have set "public_endpoint" in keystone.conf. For example, when I do the following openstack commands, I always get the following error. $ubuntu@client:~$ openstack token issue Unable to establish connection to http://10.12.2.2:5000/fuga/v3/auth/tokens The keystone's endpoint are like this: public: http://10.12.2.2:5000/fuga/v3 admin: http://10.12.1.2:35357/fuga/v3 internal: http://10.12.3.2:5000/fuga/v3 openstack client is installed in a client node, which is seperate to keystone node, and this client node has no network access to public api network. So if accessing to public api, this is expected, but I have set the env variables like this, ubuntu@client:~$ env | grep OS_ OS_USER_DOMAIN_NAME=default OS_PROJECT_NAME=admin OS_IDENTITY_API_VERSION=3 OS_PASSWORD=openstack OS_AUTH_URL=http://10.12.1.2:35357/fuga/v3 OS_USERNAME=admin OS_INTERFACE=admin OS_PROJECT_DOMAIN_NAME=default Therefore, my expectation is that api access goes only through admin url. I have tried also with internal api url, but get the same error. And of course if the client node has public api network access, the openstack client worked perfectly. Also, if you just not use the special path for api urls, so by not setting "public_api", it will also work perfectly. According to this: https://github.com/openstack/keystone/blob/stable/mitaka/keystone/version/service.py#L160 "public" string is given, and here: https://github.com/openstack/keystone/blob/stable/mitaka/keystone/common/wsgi.py#L372 the string is being combined with "_endpoint", which will become "public_endpoint", and if the url is set, this public url will be the initial access. I have attached some info, - /etc/keystone/keystone.conf - /etc/apache2/sites-enabled/wsgi-keystone.conf - output with debug option To manage notifications about this bug go to: https://bugs.launchpad.net/keystone/+bug/1661503/+subscriptions -- Mailing list: https://launchpad.net/~yahoo-eng-team Post to : [email protected] Unsubscribe : https://launchpad.net/~yahoo-eng-team More help : https://help.launchpad.net/ListHelp
